diff --git a/bin/goldilocks.js b/bin/goldilocks.js
index 21717de..06a340b 100755
--- a/bin/goldilocks.js
+++ b/bin/goldilocks.js
@@ -56,6 +56,27 @@ function fixRawConfig(config) {
     delete config.dns;
     updated = true;
   }
+  // Convert all 'proxy' UDP modules to 'forward' modules that specify which
+  // incoming ports are relevant. Primarily to make 'proxy' modules consistent
+  // in needing relevant domain names.
+  if (config.udp && !Array.isArray(config.udp.bind)) {
+    config.udp.bind = [].concat(config.udp.bind || []);
+    updated = true;
+  }
+  if (config.udp && config.udp.modules) {
+    if (!config.udp.bind.length || !Array.isArray(config.udp.modules)) {
+      delete config.udp.modules;
+      updated = true;
+    } else {
+      config.udp.modules.forEach(function (mod) {
+        if (mod.type === 'proxy') {
+          mod.type = 'forward';
+          mod.ports = config.udp.bind.slice();
+          updated = true;
+        }
+      });
+    }
+  }
 
   // This we take the old way of defining ACME options and put them into a tls module.
   if (config.tls) {
diff --git a/lib/admin/config.js b/lib/admin/config.js
index 9cdb3a9..1ac3dd1 100644
--- a/lib/admin/config.js
+++ b/lib/admin/config.js
@@ -49,7 +49,8 @@ var moduleSchemas = {
     }
   }
 };
-// forward is basically the name for the TCP proxy
+// forward is basically the same as proxy, but specifies the relevant incoming port(s).
+// only allows for the raw transport layers (TCP/UDP)
 moduleSchemas.forward = JSON.parse(JSON.stringify(moduleSchemas.proxy));
 moduleSchemas.forward.required = [ 'ports' ];
 moduleSchemas.forward.properties.ports = { type: 'array', items: portSchema };
@@ -70,7 +71,7 @@ var moduleRefs = {
   http: [ 'proxy', 'static', 'redirect' ].map(toSchemaRef)
 , tls:  [ 'proxy', 'acme' ].map(toSchemaRef)
 , tcp:  [ 'forward' ].map(toSchemaRef)
-, udp:  [ 'proxy' ].map(toSchemaRef)
+, udp:  [ 'forward' ].map(toSchemaRef)
 };
 
 function addDomainRequirement(itemSchema) {
diff --git a/lib/goldilocks.js b/lib/goldilocks.js
index 917a5bb..8ad86b3 100644
--- a/lib/goldilocks.js
+++ b/lib/goldilocks.js
@@ -95,16 +95,20 @@ module.exports.create = function (deps, config) {
     });
   }
 
-  function dnsListener(msg) {
+  function dnsListener(port, msg) {
     if (!Array.isArray(config.udp.modules)) {
       return;
     }
     var socket = require('dgram').createSocket('udp4');
     config.udp.modules.forEach(function (mod) {
-      if (mod.type !== 'proxy') {
+      if (mod.type !== 'forward') {
         console.warn('found bad DNS module', mod);
         return;
       }
+      if (mod.ports.indexOf(port) < 0) {
+        return;
+      }
+
       var dest = require('./domain-utils').separatePort(mod.address || '');
       dest.port = dest.port || mod.port;
       dest.host = dest.host || mod.host || 'localhost';
@@ -224,13 +228,9 @@ module.exports.create = function (deps, config) {
   });
 
   if (config.udp.bind) {
-    if (Array.isArray(config.udp.bind)) {
-      config.udp.bind.map(function (port) {
-        listenPromises.push(listeners.udp.add(port, dnsListener));
-      });
-    } else {
-      listenPromises.push(listeners.udp.add(config.udp.bind, dnsListener));
-    }
+    config.udp.bind.forEach(function (port) {
+      listenPromises.push(listeners.udp.add(port, dnsListener.bind(port)));
+    });
   }
 
   if (!config.mdns.disabled) {